1.2 Identity broker terminologies

Multiple SAML Providers :

It’s not necessary for all of your user Identities to be stored in one Identity Provider/Source. In a realistic scenario, user identities are stored across different Identity Providers. miniOrange provides a feature where you can configure multiple Identity Providers to authenticate your user against. Admins can configure multiple SAML Identity Providers and configure which users/apps authenticate against which Identity Source.

App based Identity Source :

With the ability to configure multiple Identity Sources one issue that arises is to figure out a way to authenticate the right set of users against the correct Identity Source. One way to handle this is by allowing admins to configure the Identity Source on a per-app basis. miniOrange provides a feature where admins can configure which Identity Source should the users be authenticated from if the authentication request originates from a particular app.

Domain-based redirection to IDP :

With the ability to configure multiple SAML Identity Providers one issue that arises is to figure out a way to authenticate the right set of users against the correct SAML Identity Provider. One way to handle this is through domain-based redirection. miniOrange providers a feature where Admins can configure the domains of the users who would authenticate against a particular SAML Identity Provider. miniOrange system would automatically check the domain of the user and redirect him to the correct SAML Identity Provider to authenticate against.

IDP discovery :

It might not always be possible to know where the user identity is stored and which Identity Source to authenticate against. miniOrange provides an Identity Provider Discovery endpoint where the users can choose their Identity Provider to authenticate from. On successful authentication, this Identity Source is remembered by the system so that the user is redirected to that Identity Source automatically without prompting the user to choose his/her Identity Source on each login attempt.

Assertion Attribute Mapping :

SP initiated SSO :

Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Service Provider first and are then redirected to the Identity Provider for authentication then it’s termed at SP Initiated SSO.

Users can be automatically redirected or redirected on clicking a button/link to the IdP with an authentication request. This request is read and processed by the IdP. In case the user has an active session at the IdP then the user is redirected back to the Service Provider with a valid authentication response.

miniOrange supports SP-initiated SSO in broker flow with each application having it’s own unique SSO endpoint.

IDP initiated SSO :

Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Identity Provider first and are then redirected to the Service Provider then it’s termed at IDP Initiated SSO.

In case of the broker flow miniOrange provides a way for Admins to allow their users to log in to their Identity Provider first and then be redirected to the app with a valid authentication response. miniOrange provides unique IDP initiated SSO endpoints on a per-app basis which can be used to redirect the user from their Identity Provider directly.